bitcoin security: cryptographic risks › bitcoin › paycoin_catactrypt... · bitcoin security:...

Bitcoin Security: Cryptographic Risks

Nicolas T. Courtois University College London, UK

with special thanks to Jean-Jacques Quisquater [UCL Belgium] who taught me cryptography when I was a student but could not make it today

Security of Bitcoin

Dr. Nicolas T. Courtois

1. cryptologist and codebreaker

2. payment and smart cards (e.g. bank cards, Oyster cards etc…)

Crypto Currencies

3 Nicolas T. Courtois 2009-2014

Crypto Currencies

UCL Bitcoin Seminarresearch seminar

=>In central London, runs EVERY WEEK!

public web page:

blog.bettercrypto.com / SEMINAR

or Google "UCL bitcoin seminar"

Crypto Currencies

Our Works on Bitcoin

-cf. also blog.bettercrypto.com-Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes Behind Bitcoin

Mining, http://arxiv.org/abs/1310.7935

-Nicolas Courtois, Marek Grajek, Rahul Naik: Optimizing SHA256 in Bitcoin Mining, CSS 2014, Sringer.

-Nicolas Courtois, Lear Bahack: On Subversive Miner Strategies and Block Withholding Attack

in Bitcoin Digital Currency http://arxiv.org/abs/1402.1718

-Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

-Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy: Could Bitcoin Transactions Be 100x Faster? In proceedings of SECRYPT 2014, 28-30 August 2014, Vienna, Austria.

-Nicolas T. Courtois, Pinar Emirdag and Filippo Valsorda: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, 16 Oct 2014, http://eprint.iacr.org/2014/848

-Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf

Security of Bitcoin

My Whole Life:

Tried to improve the security baseline…

Security of Bitcoin

My Whole Life:

Crying Wolf!

51%, Elliptic Curve, OpenSSL...

Security of Bitcoin

It did NOT help,

The Wolf was allowed to operate

Security of Bitcoin

We failed to protect our DATA

Security of Bitcoin

We fail to protect our MONEY

Crypto Currencies

Solution = Decentralized P2P

Crypto Currencies

Solution = BlockChain• Until recently, we’ve needed central bodies –

banks, stock markets, governments, police forces –to settle vital questions. – Who owns this money?

– Who controls this company?

– Who has the right to vote in this election?

• Now we have a small piece of pure, incorruptible mathematics enshrined in computer code that will allow people to solve the thorniest problems without reference to “the authorities”.

http://www.telegraph.co.uk/technology/news/10881213/The-coming-digital-anarchy.html

[11 June 2014]

Crypto Currencies

But Is Cryptography Incorruptible?NSA 2013 Budget, excerpts:

[…] actively engages the US and foreign IT industries to covertly influence and/or overtly leverage their commercial products' designs.

[…] Insert vulnerabilities into commercial encryption systems […]

[…] Influence policies, standards and specification for commercial public key technologies.[…]

Code Breakers

John Nash - 1955In 2012 the NSA declassified his hand-written letter:

He also says that:

[…] the game of cipher breaking by skilled teams, etc., should become a thing of the past.” […]

Groups and ECC

Elliptic Curve Crypto

“exponential security”

Crypto Currencies

ECC - Certicom Challenges [1997, revised 2009]

TOTAL = 725,000 USD

Cryptographic Security of ECDSA in Bitcoin

P vs. NP

• If you solve P vs. NP it: 1 M$.

• Nobel price, Abel price in mathematics: roughly 1M$

• Break bitcoin ECC: About 4 BILLION $.

How to Steal Bitcoins

New attacks [Courtois et al. October 2014]

Groups and ECC

ECDSA Attack – 2 Usersrandom a: must be kept secret!

random a

s= (H(m)+dr) / a

same a used twice => detected in public blockchain =>(s1a-H(m1))/d1 = r =(s2a-H(m2))/d2 mod n=> r(d1-d2)+a(s1-s2)=H(m2)-H(m1) mod n

each person can steal the other person’s bitcoins!

=>any of them CAN recompute k used

has already happened 100 times in Bitcoin

Groups and ECC

Attack – Same Userrandom a: must be kept secret!

random a

s= (H(m)+dr) / a

same a used twice by the same user (d1=d2). In this case we have: (s1a-H(m1)) = rd =(s2a-H(m2)) mod n=> a=(H(m1)- H(m2))/(s1-s2)mod n AND now d=(sa-H(m))/r mod n

anybody can steal the bitcoins!

has also happened many times in Bitcoin

Stopped in 2013?

Android bug was fixed…

Second Major Outbreak – May 2014

Recent Bad Randoms

From my own scan:

0f25a7cc9e76ef38c0feadcfa5550c173d845ce36e16bde09829a3af57097240.

Appears 8 times in block 322925

28 September 2014

Used by different users…

So What?

Previous attacks:

• Classical bad random attacks typically concern only very few bitcoin accounts, and only some very lucky holders of bitcoins can actually steal other people's bitcoins.

• Only a few hundred accounts in the whole history of bitcoin are affected.

The Really Scary Attacks

New attacks [Courtois et al. October 2014]

=> under certain conditons ALL bitcoins in cold storagecan be stolen

=>millions of accounts potentially affected.

eprint.iacr.org/2014/848/

New Paper:

Solutions:

Solution 1:Deterministic signatures = RFC6979 by Thomas Pornin

Solution 2:MultiSig:

For example 2 out of 3 signatures are required to spend bitcoins.

BTW. Multi-Sig Concept is NOT new…

How to Un-corrupt Cryptography

Groups and ECC

Crypto Challenges:

I always liked this idea.

Claiming (very naive) that this would:

“punish those who by their ignorance, incompetence or because of a hidden agenda, put everybody's security at a great risk.”

[Courtois, May 2006, Quo Vadis Cryptology 4 conference]

Crypto Currencies

secp256k1NOT INCLUDEDno price if you

break it

Crypto Currencies

Timely DenialDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]

``I did not know that BitCoin is using secp256k1.

I am surprised to see anybody use secp256k1 instead of secp256r1'',

September 2013,

https://bitcointalk.org/index.php?topic=289795.80

Groups and ECC

Nicolas T. Courtois, 2006-201433

Comparison:Used/recommended by: secp256k1 secp256r1

Bitcoin, anonymous founder, no one to blame… Y

SEC Certicom Research surprised! Y

TLS, OpenSSL ever used??? Y 98.3% of EC

U.S. ANSI X9.63 for Financial Services Y Y

NSA suite B, NATO military crypto Y

U.S. NIST Y

IPSec Y

OpenPGP Y

Kerberos extension Y

Microsoft implemented it in Vista and Longhorn Y

EMV bank cards XDA [2013] Y

German BSI federal gov. infosec agency, y=2015 Y

French national ANSSI agency beyond 2020 Y

Bitcoin Crypto Bets

Wanna Bet?

https://www.betmoose.com/bet/bitcoin-cryptography-broken-in-2015-791

Bitcoin Crypto Bets

- Totally Anonymous Bets In BTC!betmoose.com

Crypto Currencies

Amount?• Don’t bet a ridiculous amount!

• As long as we don’t have 2000 BTC in this bet, we will simply NOT yet know if bitcoin ECC is broken…

• Don’t expect that code breakers who can make 725,000 $ elsewhere, will even try to break bitcoin Elliptic Curve

• They would rather steal some bitcoins – Possible only if your public key is revealed

=> Tip: use each Bitcoin address only once!

Crypto Currencies

Anarchy? Dark Side• In Bitcoin many things which are BUGS

are presented as FEATURES:– monetary policy (or the lack of one) – frequent criticism

– problematic cryptography=• anonymous founder syndrome, standardized yet TOTTALLY disjoint

from normal industrial cryptography, NOBUS syndrome (NSA jargon)

– decision mechanisms (the Longest Chain Rule)• no reason why the same mechanism decides which blocks are valid

and which transactions are valid, by far too slow, too unstable, too easy to manipulate

– 51% attacks ARE realistic feasible and … INEXPENSIVE!

– sudden jumps in monetary policy => genetically-programmed self-destruction of many crypto currencies

See: Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Crypto Currencies

• the open-source nature of the developer population provides opportunities for frivolous or criminal behavior that can damage the participants in the same way that investors can be misled by promises of get rich quick schemes [...]

• one of the biggest risks that we face as a society in the digital age [...] is the quality of the codethat will be used to run our lives.

Cf. Vivian A. Maese: Divining the Regulatory Future of Illegitimate Cryptocurrencies, In Wall Street Lawyer, Vol. 18 Issue 5, May 2014.

Dangers of Open Source

Crypto Currencies

Citation

Bitcoin is:

• Wild West of our time [Anderson-Rosenberg]

Groups and ECC

Improve Quality/Security?

Bitcoin Has The Solution!

Future belongs to self-funded open-source communities

can hire programmers, security experts, etc…

avoid code of dubious origin

Groups and ECC

Crypto Challenges:

I always liked this idea.

Claiming (very naive) that this would:

“punish those who by their ignorance, incompetence or because of a hidden agenda, put everybody's security at a great risk.”

[Courtois, May 2006, Quo Vadis Cryptology 4 conference]

Crypto Currencies

Groups and ECC

Nicolas T. 43

Koblitz citation:

"Once I heard a speaker from NSA complain about university researchers who are cavalier about proposing untested cryptosystems. He pointed out that in the real world if your cryptography fails, you lose a million dollars or your secret agent gets killed.

In academia, if you write about a cryptosystem and then a few months later find a way to break it, you've got two new papers to add to your résumé!”

Neal Koblitz, Notices of the American Mathematical Society,

September 2007.

Crypto Currencies

Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_

on_unproven_cryptography

“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).

If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”

Bitcoin has a sound basis in well understood cryptography.

Crypto Currencies

Official Bitcoin Wikihttps://en.bitcoin.it/wiki/Myths#Bitcoins_are_worthless_because_they.27re_based_

on_unproven_cryptography

“SHA256 and ECDSA which are used in Bitcoin are well-known industry standard algorithms. SHA256 is endorsed and used by the US Government and is standardized (FIPS180-3 Secure Hash Standard).

If you believe that these algorithms are untrustworthy then you should not trust Bitcoin, credit card transactions or any type of electronic bank transfer.”

Bitcoin has a sound basis in well understood cryptography.

Well…actually it has major bug in it.

Major security scandal in the making?

Expect a lawsuit??? for – failing to adopt the crypto/industry best practices,

– for supporting a dodgy cryptography standard,

– not giving users worried about security any choice,

– and lack of careful/pro-active/ preventive security approach etc...

Blame Satoshi

Crypto Currencies

Officially Not RecommendedDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]

”I am surprised to see anybody use secp256k1”

September 2013,

https://bitcointalk.org/index.php?topic=289795.80

Security of Bitcoin

What If? CataCrypt Conference

[Jean-Jacques Quisquater] again!

Bitcoin Crypto Bets

Wanna Bet?

Bitcoin Crypto Bets

- Totally Anonymous Bets In BTC!betmoose.com

Crypto Currencies

Amount?• Don’t bet a ridiculous amount!

• As long as we don’t have 2000 BTC in this bet, we will simply NOT yet know if bitcoin ECC is broken…

• Don’t expect that code breakers who can make 725,000 $ elsewhere, will even try to break bitcoin Elliptic Curve

• They would rather steal some bitcoins – Possible only if your public key is revealed

=> Tip: use each Bitcoin address only once!

Crypto Currencies

Solutions• Use each fresh bitcoin account only once!

• Satoshi did sth really brilliant:– Most transactions do NOT reveal the public key.

– full disclosure is unbelievably stupid and simply BAD security engineering and BAD security management.

– Example: • ATMs top-level public keys

Crypto Currencies

Cancel A Fresh Transaction?

Cancel this?

Crypto Currencies

Can Sb. Cancel A Transaction?

Yes if he produces a longer chain with another version of the history.

Very expensive, race against the whole network (the whole planet).

Can be easy or very difficult it depends!

Crypto Currencies

Attack:

Extend This Branch To Cancel One Transaction tx36

Goal: generate 4 blocks.

cost=maybe 30 BTCgain=500 BTCEASY and PROFITABLE! The only difficulty is the timing!!!!

Crypto Currencies

This Attack IS FEASIBLE!

Nicolas Courtois:

On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534

Crypto Currencies

Easy Or Difficult?

Difficult if:

• All mining devices are privately hold by independent solo miners.

Easy if:

• Many mining devices are rented with a market which allows one instantly to buy a lot of hashing power by paying a small premium over the market price.

WORSE THAN THAT:

• A large mining pool can re-sell ALL the hash power to the attacker, => this CANNOT BE DETECTED by miners,

due to a technicality which we will discuss later (mining with H0, not knowing on which branch/block they mine)

Crypto Currencies

51% -Blunders Mistakes Misunderstandings

Crypto Currencies

Is it a 51% Attack?

51 % attacks:

• computing power can be temporarily displaced.

• it is NOT a number between 0 and 100%, two different hash powers at different moments.

• almost nobody gets it right ever… including Sathoshi

Crypto Currencies

Satoshi About 51%

Amazing level of confusion already in Satoshi writings: in Section 6 of Satoshi paper we read that:

“The incentive[like 25 BTC] may help encourage nodes to stay honest.

If a greedy attacker is able to assemble more CPU power than all the honest nodes,

he would have to choose between using it

• to defraud people by stealing back his payments,

• or using it to generate new coins.

He ought to find it more profitable to play by the rules,

such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

Claim: this ‘honest’ option is fiction.

WRONG: Attacker does NOT need to be powerful, hack few servers…=> 80%

Crypto Currencies

Mistakes Live Forever

The Economist paper, 31 Oct 2015, page 22:

[one of the best papers on bitcoin ever seen, EXCEPT it downplays the 51% threat]:

• “Alice tries to rewrite history […] Short of controlling more than half the computers - known in the jargon as 51% attack – that should not be possible.”

WRONG: Alice can manipulate/cheat/hack miners to work for her [MITM].

• “You cannot predict which miner will solve a puzzle so you CANNOT predict who will get to update the blockchain at any given time, except [….] it has to be one of hard working miners, not some random interloper“.

WRONG: Actually it is ALWAYS is the pool manager who updates the blockchain and DECIDES what is included in a blockchain, Miners are simple sub-workers deprived of their right to vote.

bitcoin security: cryptographic risks › bitcoin › paycoin_catactrypt... · bitcoin security:...

Documents

modernizing iolta using bitcoin’s blockchain...

bitcoin: cryptography, economics, and the future...section 2...

llvm x blockchainllvm.org/devmtg/2018-04/slides/zhong-llvm x...

bitcoin & bitcoin mining(final)

what bitcoin private keys say to each other ·...

bitcoin canada price | vancouver bitcoin

a survey of cryptographic and stegano-cryptographic models

bitcoin the cryptographic currency. talk at bcbomo6

bitcoin: virtual currency, real risks … and real...

a research-oriented introduction to the cryptographic...

14 - 2 bitcoin more on bitcoin ted talk 14 - 3 bitcoin ted...

bitcoin - bitter to better - bitcoin-stanford

overview 1 transitioning from speculation ·...

bitcoin investment trust - bitcoin 2014

cryptographic security of ecdsa in...

private publishing using bitcoin - mit...

bitcoin is dead. long live bitcoin!

bitcoin tech talk @purdue bitcoin club

bitcoin: an innovative alternative digital...

private publishing using bitcoin - mit mathematics ·...